Sobig hit the world on Aug. 18, 2003, and was an immediate success. The sixth variant, Sobig.F, may have been the most successful endemic mass-mailer worm. Estimates of the damages it caused were in the tens of millions of dollars, and the reward posted for the author was similarly fat.
Anonymous authors have released a document detailing forensic efforts to identify the author of this worm. They say that they hope to assist law enforcement efforts by releasing details and to demonstrate to the public how forensic techniques may be used to identify the authors of these attacks. They also say they stayed anonymous to keep the focus on Sobig and not them.
I was surprised to see that they identified a specific person. According to the paper, “… Ruslan Ibragimov of Moscow, Russia, and/or Ibragimovs development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited email (spam).” Ibragimov has vehemently denied being the author of Sobig.
Whether he wrote Sobig or not, Ibragimov is an easy character to dislike. He is the proprietor of the Russian company Send-Safe, maker of quality spamming tools. (Please read about his products; theyre good blood-boiling material irrespective of this Sobig stuff. I especially seethed at his “Bulk IM” products.)
As the authors of the anonymous paper point out, Sobig was designed for exploitation by spammers. It was the first (to my knowledge) big e-mail worm to create backdoors to allow spammers to hijack systems for use as mail proxies.
The authors assert that the releases of Send-Safe and the releases of Sobig appear coordinated and indicate that the author of one had advance knowledge of the work of the other. Many of the programming skills necessary to write Sobig, the report authors say, are the same as those Ibragimov or his team used to write Send-Safe. Most damning, they say that large opcode sequences (meaning the machine instructions in the program) in Sobig and Send-Safe are identical, including many having specifically to do with sending e-mails.
Finally, why would Ibragimov do this? According to the report authors: “As Send-Safe provides a list of open proxies to subscribers, there is a clear financial motive for Ibragimov to have created the Sobig worm.” Oy!
The rest of the report consists of specific evidence backing up these assertions. For instance, the report notes releases of Send-Safe that utilize features in new versions of Sobig and then use of those features by spammer groups that use Send-Safe. It notes specific programming techniques that are common between the two programs. Most of the 48-page report is actually file dumps that are only interesting if you want to replicate the work done in the report.
I cant verify the specific claims; I dont have access to all the software and data they have, but if their factual claims are accurate, then their conclusion that Ibragimov is involved is hard to dispute.
Sobig Forensics in the
The naming of Ibragimov is new, but the true function of Sobig was evident long ago. Mikko Hypponen, director of anti-virus research at Helsinki-based security software vendor F-Secure, evangelized the spam relay function of Sobig heavily in its heyday.
It was also noticed by all that versions of Sobig had expiration dates, shortly after which a new version would likely appear. Hypponen and other speculated at the time that these versions were written on contract for spammers and that the expirations were the enforcement of that contract. This doesnt sound all that different to me from what the anonymous report authors observe.
Anonymity of the sender is at the heart of both Send-Safe and Sobig, and a big reason for the FTC e-mail authentication summit in Washington last week. Sobig allows a spammer to use the infected system to send the e-mail; you might trace the mail back to that system, but not to the spammer, at least not easily.
A system of authentication wouldnt end spam, but it would make it much harder to send. Anonymous mail would be in a new, suspicious class of mail that users would eventually delete without scrutiny. Spam would likely authenticate to some actual domain if it wanted to get through. But what about open proxy engines like Sobig? They wouldnt make as much sense, unless they were modified to use the PCs ISP e-mail account to hide the sender. Since all those spam messages would come from the user of that computer, he would likely find out about it quickly.
Ibragimovs denials seem fishy, but like all the other evidence here you have to be skeptical of the presentation. The author of that article is also author of a book on big-time spammers. But Ibragimov says that the timing of version releases was pure coincidence, that his headers were designed to mimic those of Outlook Express, and that far from encouraging Trojaned proxy servers they have damaged his business. Theres reason to doubt all of this, but its hard to divorce all these judgments from the fact that Ibragimov is just plain detestable based on what he admits doing. For this reason, its important that the evidence be scrutinized carefully.
The report authors say they released the report now because it is one year since the creation of a rewards program funded by Microsoft for the apprehension of such malware writers. The Sobig author was one of the charter members of the Malware Rewards Club. The authors say they had already passed this information on to law enforcement authorities two months prior to the bounty program, so the reward was not their incentive.
But it makes you wonder about the whole thing: If all the authors claims are true, then either law enforcement (they dont say who exactly they contacted) is lazy or corrupt or incompetent. What needs to happen now is for someone to try to replicate this research—probably someone at an anti-spam and/or anti-virus firm—and go on record about it. The question then would be why Ibragimov is still at large and who at law enforcement dropped the ball. If the research doesnt pan out, we have to wonder who the “researchers” are.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer